Imagine taking one of the most important business processes within your business, making a revolutionary change to it and having to convince everyone that the process they’ve relied on isn’t nearly as perfect as they thought. That’s a challenge that was faced by Ian Brightwell, the CIO of NSW Electoral Commission.
Online voting is one of those things that is often seen as being an obvious part of our future but is met with opposition regarding security and transparency. iVote came about, not because of a desire to introduce online voting, but in response to a court decision mandating that systems be made more accessible to visually impaired votes. The initial mandate was to investigate a telephone touch-tone based system but this gave way to a desire for a system that is more accessible to a wider group of people.
The NSW Electoral Commission worked with CSC and took a “proactive, focussed threat-defensive approach to the program”.
The project commenced in 2011 and was driven by a legislative requirement that came about through a 2008 court case. Brightwell said this led NSWEC to creating a system that delivered Web-browser based electronic voting. What’s clear from his comments is that the need was needs-driven rather than technology-driven.
The target audience for e-voting is not the entire state of NSW. Only eligible voters who are visually impaired, overseas or who live more than 20 km from a polling place can use the system. This gave Brightwell and his team an advantage in deployment as they could essentially carry out a targeted pilot program.
At the most recent NSW state election, almost 50,000 voters used the system with about five times that number expected at the next election.
A managed risk approach
One of the main criticisms that is often made, said Brightwell, is that “you shouldn’t do anything dangerous on the Internet”. However, the NSW Electoral Commission took the view that it was dealing with comparative risk. Although the existing voting and counting process is long established and seen to be transparent, it is not without significant security and accuracy issues. For example, there have been cases of lost ballot papers, ballot papers being fed into paper shredder instead of a counter by accident and numerous counting disputes. And there are many cases where individuals are left unattended with ballot papers.
There’s also the question of accuracy. With over four million ballots lodged at a state election, Brightwell said that it’s almost impossible to ensure an accurate, repeatable result using manual counting. In the vast majority of cases, seats are decided by margins that fall within acceptable error margins. But where a result is very close, recounts highlight the issues as each count is different to the one before. E-voting exhibits some risks, but the existing process is also not without its own security issues.
Brightwell said his key focal points for security were around the segregation of duties, systems, data and communications.
“Anyone of those, anything that we put in place – any one of those can be broken or found to have fault at some level. That’s not the issue. It’s whether you can actually achieve such an outcome that the actual electoral process fails,” said Brightwell.
“That’s the balance we’re trying to make”.
The proposed systems deal with some of the concerns around access to data and transparency. Brightwell said it’s possible to write programs that look at the data and review electronically submitted ballots – providing an analog to the way ballots can also be accessed under the existing paper-based system.
Both the electronic and paper systems, according to Brightwell, are made of a mix people, process and systems. It’s just that the ratio of the three elements is different.
An important part of the project was establishing a clear scope for what the system would manage as far as security went. For example, Brightwell said that the system does not try to deal with voter coercion, as that has not been a significant issue in Australian politics.
The voting system is designed around three main components: The core voting system operates in a government data centre, the registration system is held in the NSW Electoral Commission’s data centre and the verification system is offsite and managed by a third party. This segregation, as Brightwell noted, is a central part of the threat management strategy for the system.
In order for someone to break the anonymity of a voter or forge a vote, all three elements would need to be compromised.
Despite the apparent differences between electronic and paper voting, Brightwell said the processes are managed under the same legal frameworks. However, the nature of the evidence and how investigations are carried out will vary.